BPCE - 2019 Universal Registration Document

6

RISK REPORT

NON-COMPLIANCE AND SECURITY RISKS

HIGHLIGHTS The Group Level 2 ISS permanent control database was rolled out to all institutions on the Archer platform (governance/risk management/group controls). Three major projects were also launched: formulation of Group Security guidelines aimed at defining its • ambitions in terms of cybersecurity, while taking into consideration information system security, IT continuity and the IT legal compliance projects (GDPR, DSP2, etc.);

preparation of a Group identity and authorization management • (IAM) roadmap with the following goals: establishing a Group database of individuals, applications – and organizations, implementing Group IAM governance, – including, if possible, all Group applications in the IAM – roadmap, with automatic provisioning and an overview of authorizations; mapping out all Group information systems, including the • private systems used by the institutions.

ANTI-CYBERCRIME SYSTEMS As a result of its digital transformation, the Group’s information systems are becoming increasingly open to the outside world (cloud computing, big data, etc.) and many of its processes are gradually going digital. Employees and customers are also increasingly using the Internet and interconnected technologies such as tablets, smartphones and applications on tablets and mobile devices. Consequently, the Group’s assets are constantly more exposed to cyber threats. The targets of these attacks are much broader than the information systems alone. They aim to exploit the potential vulnerabilities and weaknesses of customers, employees, business processes, information systems and security mechanisms at Group buildings and datacenters. In response to these threats, a number of anti-cybercrime enhancement initiatives were continued in 2019. Reinforced detection of unusual data flows and events in information systems (cyberattack detection) Creation of a unified Group Security Operation Center (SOC), including a Level 1 supervisor, operating 24/7; • Integration of a Groupe BPCE CERT (Computer Emergency Response Team) in the InterCERT-FR community run by the • ANSSI; 2019 expansion of the VIGIE community (Groupe BPCE’s collective due diligence system) to include the Banques Populaires • and the Caisses d’Epargne, in order to improve communications and oversight of private information systems used at these institutions. Raising employee awareness of cybersecurity In addition to maintaining the Groupwide program to raise employee awareness of ISS, 2019 saw the development of a new ISS training/awareness-raising plan to be implemented during the year, and the Group’s participation in “European Cyber Security Month”. Within BPCE SA’s scope of operations, 168 applications were included in the scope of review of authorization rights and management procedures. Not only are applications reviewed, but also user entitlements to IS resources (distribution lists, shared mailboxes, shared files, etc.). Moreover, new employee awareness-raising and training campaigns were launched: GDPR training for project leaders and product range managers; •

phishing test and phishing awareness-raising campaign; • participation in new employee acclimation meetings. •

650

UNIVERSAL REGISTRATION DOCUMENT 2019 | GROUPE BPCE

www.groupebpce.com